Some local telecommunications service providers have begun programs for the delivery of advanced voice and data services over IP that will require the implementation of security measures in order to protect both the service providing network assets as well as the customer networks from service affecting malicious intrusions that can cause either network losses or customer grievances. Additionally, the changing paradigm in the area of new services makes it beneficial for such a service provider to position itself ahead of its competitors by being the first to offer the new services afforded by the transformation from a switch based network to an IP based network. Common to both of these efforts are the challenges that are faced by a large size telecommunications service provider namely the impact on scalability and performance.
Security and performance are typically a zero sum game since improved security often results in reduced throughput and performance. This is the case in the area of perimeter protection of customer and network assets as well as in the development of new multimedia and multi-technology services for millions of customers. These challenges are manifested most tellingly in the deployment of a “softswitch” infrastructure that will facilitate a telecommunication service provider achieving a position as “first to market” advanced services. Securing the softswitch assets from potential attack by a malicious intruder is a vitally important component to consider in future IP based networks and services. A security failure in this realm can be extremely costly to the telecommunication service provider both in real economic terms as well as in reputation. The security capability, however, should be implemented in a scalable manner.
Interconnection of large-scale IP networks presents new twists to security challenges that can benefit from added perimeter protection measures. Distinct from traditional data, broadband, Voice over Internet Protocol (VoIP) and multimedia services are interactive, utilize separate signaling and transport flows, and place unique Quality of Service (QoS) and security requirements on the network that take into account users and policies derived from signaling and downstream network topology. Carrier-to-carrier VoIP peering, Hosed IP Centex and other multimedia packet-based services present new challenges for IP networks and edge networking technologies. These services are to be delivered between different IP network “islands” traversing borders between carrier and customer and carrier-to-carrier often between private and public networks. Carriers are confronted with deployment barriers such as security, service level assurance and Network Address Translation (NAT) traversal. Layer 3 and 5 (application) security enhancements are difficult to implement, either because of the inherent very-distributed nature of VoIP networks (many hops), or because they involve the use of digital certificate-based key systems which are notoriously difficult to manage, especially, at the carrier class scale of a network of a typical local service provider's size. An alternative is to protect crucial network assets such as the softswitch infrastructure components, namely media gateways, signaling gateways, and application servers, through the use of network perimeter protection devices that will block potentially nefarious unwanted traffic from ever reaching those assets.
The network edge has evolved to be not only an access point but also a demarcation point and identifies the boundary of trust between the carrier's service network and its external customers and peers. The state of the art in VoIP security today is centered on the protection of these network “borders”. These border devices, of necessity, need to implement firewall capabilities in both stateless and stateful modes thereby introducing new challenges for carrier class implementations, as stateful modes carry the burden of being extremely consumptive of CPU cycles for the devices performing the function.
In VoIP, the ports used to carry the media part of the call, are dynamically assigned through signaling, taken down upon call termination, and reused for a subsequent call at a later time. This technology is denominated “dynamic pinhole filtering” as firewalls need to filter traffic dynamically by opening/closing ports (pinholes) depending on the state and progress of a call. The correct implementation of this technology, at the network edge, provides indeed a good level of protection at a level of granularity not otherwise achievable with other current security technologies.
At least one service provider is currently involved in major projects that should involve the eventual deployment of this stateful capability of “dynamic pinhole filtering”. Value Added Data Security Services (VADSS) may include such things as stateful pinhole filtering and the provisioning of VADSS capabilities to customers from a network's edge and can be provided as a value-added revenue generating service. Another application could involve the large scale deployment of a softswitch that will provide customers with hosted VoIP based services and advanced features. One of the possible devices considered for the security architecture of a softswitch infrastructure is a Session Border Controller (SBC). Such SBCs would include, as an important component, the capability of stateful packet filtering for the media streams. These SBCs with stateful packet filtering would be used in place of conventional devices that perform Network Address Translation (NAT) techniques, but do not include a dynamic filtering capability.
A major issue of concern associated with the testing of this dynamic stateful filtering capability, for both of these potential services, is the verification of its performance at the rates demanded by a carrier class network, namely Gigabit-Ethernet (GigE) interfaces with typical concurrent sessions of the order of up to 100K or higher. Methodology and the integrated tools to perform testing of stateful capable “dynamic pinhole filtering” for evaluating functional operation and performance of firewalls at carrier class traffic levels need to be developed.
Value Added Data Security Services will now be described. Value Added Data Security Services (VADSS) may be implemented as a suite of network-bases services that complement and add value to the basic capabilities of a local carrier's network-based IP—Virtual Private network (VPN) service and, represent a novel way of revenue generation. An exemplary VADSS service suite includes:                Virtualized firewall providing basic stateful firewall-customer-configurable rule sets for packet filtering, and full stateful firewall with dynamic pinhole filtering to protect customer assets from threats outside their network;        Internet Offload—an Internet access capability directly from the IP/MPLS infrastructure; and        IPSec tunnel terminations.        
The ability of VADSS to provide security services and Internet access from within a provider network is what distinguishes VADSS from similar offerings that depend on managed Customer Premise Equipment (CPE). By leveraging the economies of scale of platforms capable of running multiple instances of such applications as firewalls, a service provider can offer these virtualized services at the Service Edge Router level. Internet threats are kept at arm's length, away from the customer access link through network-based firewalls and address translation within the provider infrastructure. VADSS could include the provisioning of virtualized firewalls, each supporting a host of stateless protocols, as well as Application Layer Gateway capabilities for SIP, H.323, Skinny, and MGCP, at GigE rates and supporting 100K concurrent sessions.
Session Border Controllers for softwitch infrastructure will now be described. Existing edge functions such as aggregation, class based queuing and packet marking, address translation, security and admission control are insufficient to meet the requirements for the new softswitch based VoIP services. In addition to these traditional edge functions, VoIP and multimedia services present new requirements on the network edge including QoS and bandwidth theft protection, inter-working of incompatible signaling networks, lawful intercept, e.g., anonymous replication & forwarding of packets, and most significantly, the capability to perform stateful packet inspection, e.g., for voice streams, also called “dynamic packet filtering”, at carrier-class rates. The service delivery network should be augmented with solutions that address these unique requirements. The existing edge router, complemented by an SBC, become the border element in the next generation network (NGN) architecture.
Session Border Controllers are a new category of network equipment designed to complement existing IP infrastructures, to delver critical control functions to enable high quality interactive communications across IP infrastructures, to deliver critical control functions to enable high quality interactive communications across IP network borders. A “session” is any real-time, interactive voice, video or multimedia communication using IP session signaling protocols such as SIP, H.323, MGCP or Megaco/H.248. The “border” is any IP-IP network border such as those between service provider and customer/subscriber, or between two service providers. “Control” functions minimally include security and service assurance. Security functions provide access control and topology hiding at layers 3 and 5. Service assurance functions guarantee session capacity and control.
Security and address preservation features include network access control based on stateful packet inspection, with firewall dynamic pinholes created only for authorized media flows, and network topology hiding at both layer 3 and 5 via double network address and port translations. SBCs additionally protect softswitch, gatekeeper, gateway, application server, media server and other service infrastructure equipment from Denial of Service (DoS) attacks and overload with rate limiting of both signaling messages and media flows. SBCs simultaneously support SIP, MGCP and H.323 networks by actively participating in session signaling and can be controlled by a third part, multi-protocol softswitch, H.323 gatekeeper or MGCP call agent using a pre-standard MIDCOM protocol. The performance requirements for some typical SBCs in a carrier class environment typically range in the order of 5 GBps throughput with 100K concurrent sessions.
Strict verification of the correctness of a security implementation through testing, however, is of paramount importance as any defective implementation could result in windows of vulnerability that could be exploited by a malicious intruder to invade the very assets being protected. In the realm of security, a faulty implementation of a security device is doubly dangerous, as unnoticed backdoors that can be used for malicious intent, will contribute to a false sense of security. These windows of vulnerability can in turn be used by a malicious attacker for a Denial of Service attack, in the simplest case, up to a takeover of network assets that can be used to control and disrupt other parts of the network. The penalty associated with this security capability, however, is a considerable degradation in performance. The consequence of this performance degradation can result in two equally unappealing outcomes: (i) excessively long windows of vulnerability; and (ii) a self-inflicted Denial of Service attack as the underperforming device shuts out subsequent calls.
In view of the above discussion there is a need to properly benchmark and verify the performance of various firewall security devices. Methods and apparatus that will permit a quantification of functionality and performance at carrier-class scales under a variety of signaling conditions and scenarios in addition to different amounts of loading would be especially beneficial.
Stateful packet filtering, performed in firewall security devices, is a very consumptive process in terms of both memory and CPU utilization. Known approaches to benchmarking and verifying the performance of various firewall security devices have not adequately addressed the need to test the level of depth to which a given firewall security device vendor has implemented a particular protocol suite or the effect that different amounts of loading may have on a particular firewall's ability to remain compliant with the wide range of features/signaling possibilities which are possible for a given communications protocol. Firewall compliance with a particular protocol may depend on how a stack, e.g., a SIP or a H.323 protocol stack, used for processing the signals, e.g., session establishment, termination and error handling signaling, is implemented. Often vendors attempt to implement a simplified protocol stack which handles the majority of expected signaling cases but may be less then fully compliant or are implemented in such a manner that particular signaling sceneries will result in firewall failures sooner than other scenarios under a particular signal processing, e.g., SIP signaling, load.
As can be appreciated, it is desirable to be able to detect vendor implementations that may be less than fully conformant with a protocol to be supported, e.g., the complete SIP and/or the complete H.323 protocol, or which will fail for less common signaling scenarios, e.g., incomplete calls or lost signals, under particular loading conditions.
It can be important that a user of a firewall be able to predicate when the firewall will encounter situations when signals, e.g., SIP or other signals relating to calls, cannot be handled at all, or when events midstream will not be detected, thus creating additional possibilities of leaving long windows of vulnerability open. For example, a vendor's streamlined protocol implementation may have left out less frequently occurring use cases or be able to support very limited numbers of such cases. As a result, a firewall device may be unable to handle some functions, thus throttling calls midstream by not opening the pinholes or leaving calls unprocessed mid-way with a corresponding pinhole window of vulnerability. One reason why vendors choose to implement these reduced version protocols is because loading the full protocol stack, with the CPUs typically found in current routers and/or conventional firewall blades, tends to adversely affect other functions of the device, as the CPU shares memory and cycles with other functionalities such as, e.g., packet processing, table searches, and filtering. The issue of CPU utilization by competing simultaneous needs, continues to vex the designers of these firewall security devices, and they will frequently choose to streamline their protocol implementations in order to satisfy the competing demands of call processing (call signaling) with those of state keeping and table look-ups to effect the filtering function.
Thus, it should be appreciated that competing demands can result in a vendor's firewall protection device operating well with regard to one set of circumstances, e.g., normal successful call set up and completion, but operating poorly with regard to another set of circumstances, e.g., where sessions such as calls are terminated prior to normal completion or some session control signals are lost during communication, e.g., to interference and or other communication problems such as excessive network delays.
In general, the slimmer the version of the reduced protocol stack that a vendor implements, the faster the call processing time will be. Thus some vendors decide to intentionally not implement some of the complete protocol stack, e.g., related to functions deemed by the vendor to be non-essential, in order to achieve better call processing characteristics for their device and gain a competitive marketing advantage. However, such tradeoff decisions by a vendor can result in undesirable side effects concerning windows of vulnerability of dynamic pinholes and thus compromise the security of the firewall device under certain conditions. Unfortunately, the vendor may not be aware of the implications of particular design choices under loading conditions corresponding to different protocol features and/or signaling sceneries such as where a session is terminated prematurely or without the expected signaling.
Notably, even in applications where a vendor has attempted to implement a full version of the complete protocol stack in their firewall security device, e.g., a firewall control proxy, it would still be beneficial if methods and apparatus were developed to provide verification that the protocol support, as implemented by the vendor, and the firewall security device hosting the vendor protocol implementation, conform to requirements and conform to advertised specifications under test conditions exercising the full range of protocol features and signaling scenarios which may be encountered. In addition, methods and apparatus that measure and/or benchmark comparative performance with respect to other alternative firewall security devices, e.g., offered by other vendors, would be beneficial. It would be advantageous if such methods and apparatus considered windows of vulnerability of dynamic pinholes.
Based on the above discussion it is apparent that there is a need for methods and apparatus for benchmarking and verifying the performance and/or compliance of various firewall security devices in view of the knowledge that a vendor's protocol stack implementation can be a factor in adversely impacting firewall security including the timely closing of dynamic pinholes. Methods and apparatus that fully or nearly full exercise the full set of protocol features and signaling possibilities, when testing a vendor's firewall security device and monitoring its dynamic pinhole operation characteristics, could provide insight when evaluating and benchmarking such a device. It can also be used to identify particular signaling sceneries which can cause a firewall to fail and may be used to predict the amount of loading at which a failure will occur which might not occur under less stressful, in terms of loading, conditions.